const char *krb_service_name;
int krb_authoritative;
int krb_delegate_basic;
+ int krb_ssl_preauthentication;
#ifdef KRB5
char *krb_5_keytab;
int krb_method_gssapi;
command("KrbDelegateBasic", ap_set_flag_slot, krb_delegate_basic,
FLAG, "Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive."),
+ command("KrbEnableSSLPreauthentication", ap_set_flag_slot, krb_ssl_preauthentication,
+ FLAG, "Don't do Kerberos authentication if the user is already authenticated using SSL and her client certificate."),
+
#ifdef KRB5
command("Krb5Keytab", ap_set_file_slot, krb_5_keytab,
TAKE1, "Location of Kerberos V5 keytab file."),
((kerb_auth_config *)rec)->krb_service_name = NULL;
((kerb_auth_config *)rec)->krb_authoritative = 1;
((kerb_auth_config *)rec)->krb_delegate_basic = 0;
+ ((kerb_auth_config *)rec)->krb_ssl_preauthentication = 0;
#ifdef KRB5
((kerb_auth_config *)rec)->krb_method_k5pass = 1;
((kerb_auth_config *)rec)->krb_method_gssapi = 1;
else
return DECLINED;
+ if (conf->krb_ssl_preauthentication) {
+ const char *ssl_client_verify = ssl_var_lookup(r->pool, r->server,
+ r->connection, r, "SSL_CLIENT_VERIFY");
+
+ if (ssl_client_verify && strcmp(ssl_client_verify, "SUCCESS") == 0)
+ return OK;
+ }
+
/* get what the user sent us in the HTTP header */
auth_line = MK_TABLE_GET(r->headers_in, (r->proxyreq == PROXYREQ_PROXY)
? "Proxy-Authorization"